August 16, 1995: I learned that David Byers and Eric Young, working
with Adam Back, had cracked the challenge about two hours before
me. Adam has a
description of their
achievement.

August 17, 1995: Netscape sent their official
response. I don't agree with their $10,000 figure, and they
badly underestimate the cost of breaking RC4-128
(the US-only version of their system).
Still, I do agree with their conclusion.

The cypherpunks are putting together a
"key cracking
ring" to see how fast this can get: they will decrypt example
sessions as fast as possible (I expect only about one day per
session), by using a lot of machines all over the Internet.

August 19, 1995: Hal posted a
second SSL
challenge to cypherpunks for the "key cracking ring" to
tackle.

The key cracking ring started working on this new challenge on
August 24, 1995, at 18:00 GMT, and got the result in
less
than 32 hours.

September 4, 1995: Communications Week International
wrote that I "enlisted a number of other engineers worldwide to
crack the code again - in just 32 hours". This is not
true. I did participate in the effort, but the credits
for organizing it should go to Adam Back and
Piete Brooks.

September 17, 1995: Ian Goldberg and David Wagner broke the pseudo-random
number generator of Netscape
Navigator 1.1. They get the session key in at most a few hours on
a single workstation.
Their
code is available by ftp.
You can get more details on a
web page
written by Laurent Demailly.

June 4, 1996: Le
Monde, a french newspaper, published a
paper with a somewhat garbled story about the Internet, that
ends by implying "Damien Rodriguez" is a pirate. I found
15 factual errors in that article.

The man who reads nothing at all is better educated than the man who
reads nothing but newspapers.

-- Thomas Jefferson

August 9, 2000: I'm still getting some mail about this, but I've
stopped replying. All this is not interesting anymore (to me, at least).

Related topics

You can get the source of the program
that I used to break the challenge.

You may want to know more about the ITAR (International Traffic in
Arms Regulations), which prevent Netscape from exporting their
more secure system. See the EFF ITAR export
archive or John Gilmore's crypto
export page.

The RSA-129
crack used about 50 times more computing power than I did for the
SSL challenge.

Cryptographic software is export-restricted by the US government
even if it didn't originate from the US (i.e. if imported, it
cannot be reexported). Yet, you can find strong cryptography in
the form of PGP (all over the world),
and SSLeay (in
Australia).